mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: validate packet length in AVB get_avb_info handler

Browse source 
Memory Safety: High

The handle_get_avb_info_common() function copied network packet data
into a stack buffer using memcpy(buf, m, len) without validating that
len fits within the 2048-byte buffer. A crafted AVB packet with a
large length could overflow the stack buffer. Added bounds validation
matching the pattern already used in handle_read_descriptor_common().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 11:24:11 +02:00
parent 46eefd16ee
commit 88a3bf8aab
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/modules/module-avb/aecp-aem.c
View file

@ -151,6 +151,9 @@ static int handle_get_avb_info_common(struct aecp *aecp, int64_t now,
if (desc_type != AVB_AEM_DESC_AVB_INTERFACE || desc_id != 0)
return reply_not_implemented(aecp, m, len);
if (len < 0 || (size_t)len > sizeof(buf))
return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, m, len);
avb_interface = desc->ptr;
memcpy(buf, m, len);